Secure password resets at the IT service desk with Specops Secure Service Desk

Are you looking for a better way to empower your service desk technicians with the ability to verify the identity of end users who call?  We take a look at Specops Secure Service Desk which provides strong identity verification features for service desk professionals working with end users to reset passwords on their accounts among other high risk use cases such as unlocking computers.

With many organizations today having shifted to a remote work configuration for the majority of their employees, there are certain pain points with supporting remote workers that can certainly arise.  One of the basic problem areas of supporting remote workers, any end users really, is locked out accounts and expired passwords.

Additionally, verifying users who call in to the service desk to have a password reset poses a security risk to the organization.  How can you verify the user is who they say they are and prevent a social engineering attack?  Specops has released a brand-new product called Secure Service Desk that helps to solve this problem.

What is Specops Secure Service Desk? ^

What is the new Secure Service Desk exactly?  It is a solution that allows your service desk technicians to provide assistance to end users via human interaction.  When working with end users on the phone, service desk technicians can use the Secure Service Desk solution to verify the end user’s identity by enforcing the use of the identity services the end user has been pre-enrolled with.  Options include OTPs via email or mobile and 3rd party identity services all of which can leverage existing user data in Active Directory.

Service desk includes the following abilities:

  • Verify user identity
  • Enforce user authentication
  • Unlock accounts and reset passwords

It makes these processes secure by the use of multi-factor authentication.  It supports a number of multi-factor authentication providers including:

  • Mobile and Email Code
  • Duo Security
  • Okta Verify

It’s not surprising to see Specops in this space as they are a major provider of various password management tools and authentication solutions for a number of years now.  This is certainly a hot topic for security today as many organizations have come to realize that passwords and user identity can often be the weak link in overall security and is often the primary “hole in the armor” for data breach in many organizations.

Let’s take a look at the new Specops Secure Service Desk tool and see how it can bolster the security of user identity, password resets, and self-service for end users.

Installation and configuration

There are basically two components to setting up the Specops Secure Service Desk.  You will setup the following:

  • Specops Secure Service Desk cloud account
  • An on-premises “Gatekeeper” component

In setting up both components, I was pleasantly surprised at how quickly and easily both were configured.

Setting up the Specops cloud account

The first component of the Secure Service Desk is to sign up and create the Specops cloud account. Specops will create a new account for you with an appended UPN suffix to your existing forward-facing domain name so that it is unique.

Create the Specops cloud account and password

Create the Specops cloud account and password

Once you have created your account and logged in, you will see the Specops Authentication dashboard.  Here you will be presented with a workflow to finish configuring your Secure Service Desk.

As mentioned earlier, the solution requires that you have an on-premises component called the “Gatekeeper” to integrate with your on-premises Active Directory environment.  Click the button Create new Gatekeeper.

Create a new Gatekeeper

Create a new Gatekeeper

For instructions on installing the on-premises Gatekeeper component, see the documentation provided by Specops here: Specops Gatekeeper installation

Configuring the Service Desk

Actually, by default, there isn’t anything you are required to configured outside of configuring the Gatekeeper to get started with the Service Desk portal.  It will already be integrated with your Active Directory environment and will have visibility to the enrollment of the various users.  However, as shown below, you can click the Configure button to configure Policy settings that affect the types of identity verification you want the service desk technician to have to perform before managing users through the portal and which ones will be extended to end-users to user verification at the service desk.

Configuring the service desk policy

Configuring the service desk policy

 

You can select the identity services you want to make use of and check these as required for verification.

 Configure identity services that must be used by service desk technicians

Configure identity services that must be used by service desk technicians

Additionally, from the portal there is a setting to force identity verification. If this is checked, service desk agents will have to successfully verify users’ identities before being able to perform a password reset for example.

Force identity verification setting

Force identity verification setting

There is also reporting available to keep track of when user verification was performed, what identity service was used during verification, and account unlocks and password resets. This is a very useful report and it can be exported to CSV, Excel, Json, and other formats.

Reporting dashboard

Reporting dashboard

Now, let’s look at the service desk itself.  Once you navigate to the dashboard for Service Desk, click the “hamburger” menu in the upper right-hand corner.  You can then search for users you want to verify.

Searching for a user to verify identity

Searching for a user to verify identity

Select the user you want to work with.

 Pick the user whose identity you want to verify

Pick the user whose identity you want to verify

As the user is on the phone with the service desk technician, they click the Verify identity button.

Click to verify the identity

Click to verify the identity

This launches the verification screen.  Here you can choose the quick verification mechanism to verify an end user based on the services the end user enrolled in. As you can see in the screen below the user icon is in red indicating that the user’s identity has not been verified. In this example, , I am using the mobile code to verify.  This will text a code to the phone number enrolled for the user.

As you can see, the end user would truly have to be in possession of the mobile device to verify the identification request which makes it increasingly difficult for an attacker to circumvent.

Choosing the identity verification method to verify an end user

Choosing the identity verification method to verify an end user

The service desk technician will then enter the code the end user repeats to them and clicks Verify.

Using the quick verify to verify an end user in the Service Desk

Using the quick verify to verify an end user in the Service Desk

If you note above, the service desk technician can actually navigate to the Reset Password link without verifying the user first.  If you want to force identity verification before a password reset, there is a setting to do this.  Additionally, you can also select to have a password randomly generated and sent to an end user without the service desk technician seeing it.

This may be required in various regulatory compliance frameworks and is generally good security hygiene as well.  This eliminates any chance of a service desk technician having possession of a legitimate user password in the process.

Change settings for the Service Desk to force identity verification and autogenerate passwords

Change settings for the Service Desk to force identity verification and autogenerate passwords

As you can see below, the Reset Password link is greyed out, until the user is verified.  This will provide an effective means of circumventing social engineering attacks where a service desk technician is persuaded to simply reset the password without verifying the end user.

Reset password is now greyed out until verification is validated

Reset password is now greyed out until verification is validated

Additionally, with the random password option selected, the password is randomly generated and texted to the user in this scenario with the mobile code configured.

Service desk technician cannot see the password that is reset on the end user account

Service desk technician cannot see the password that is reset on the end user account

The user’s password is randomly generated and texted to the user.  The password is successfully changed to the password messaged to the user.

Password is successfully generated and sent to the end user

Password is successfully generated and sent to the end user

Wrapping Up and final impressions ^

I found the features of Specops Secure Service Desk to be excellent for organizations looking to improve the security of service desk operations and bolster their password reset solution.  It provides the means for service desk technicians to effectively verify the identity of a supposed end user who requests a password reset.  This should make it exponentially more difficult for an attacker looking to perform a social engineering or other type of attack to steal credentials.

As shown, IT administrators can enforce the setting to require identity verification before resetting a password for an end user.  Additionally, you can also prevent a service desk technician from ever possessing an end user password by enforcing a random password generation that is securely sent to the end user.

For a fully-featured trial version of the software, take a look at the Specops Secure Service Desk download.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

1+
avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account